The Proprietary Failure to Protect Privacy

by Ben Pearson

January 13th, 2014

All social interaction requires some degree of trust. This trust has become much harder to understand in the Information Age as we interact with a wide variety of online services daily, many of them requiring the transfer of private information. Businesses, governments, citizen groups and many other organizations need a method for ensuring their private information remains private. With the increasing instances of data leaks and stolen information over the Web in recent years, people need the tools they rely on to adequately protect valuable information.

In part one of this series, I covered the issues our global society faces due to expansive government spying operations. This article will explain the problems created by relying on proprietary standards, software and designs as a solution and will begin to demonstrate the role open source plays in addressing these gaps.

The Inadequacies of Proprietary Privacy

Proprietary applications have the potential to offer exceptional levels of privacy and security, if they are designed correctly. The amount of effort put into privately controlled applications is usually far greater and more comprehensive than distributed open source communities. The problem that arises is one of transparency. How can users know the companies they rely on are adequately protecting their data?

In the instance of Google’s mobile operating system, Android, software security is quite robust and its very hard for malicious applications to harm the underlying operating system. On the other hand, private user information can be made accessible to undesirable parties through Android’s permissions system. A simple flashlight app could be used to maliciously collect information on the user such as their location, email address, contact list, or virtually any other data stored on the phone. Security in this instance relies on the vigilance of the user through their control over permissions whenever they install new apps. Even so, it is impossible to get a clear picture of how information is being shared with applications.

The NSA leaks have revealed that many companies have been forced by the US government to hand over private information about users and the software they use. Edward Snowden revealed that Microsoft aided the NSA by helping them circumvent encryption protocols, giving them access to users email messages, cloud file storage and Skype video calls. The government has the right to investigate criminal behavior, and, through the use of search warrants, could be justified in some of these actions. The greater issue here is one of transparency, as this is occurring without the knowledge of the people being spied upon, even if those people have little or nothing to do with what is being investigated.

Transparency is Key

Open source solutions offer a unique remedy for situations such as these. While the quality of security of open source applications can vary greatly depending on the software and the purpose for which it is being used, open access to the source code allows the developers that incorporate these programs into their own to fully understand the steps taken to ensure privacy. In addition, in order for privacy to be effective in an open source application, the user must entirely control the method of encryption, since encryption protocols divulged in the source code would be easy to crack. This removes the potential for the government to target a specific person or business to gain access to widespread private information as they did with Lavabit and Microsoft.

Multiple companies have already developed and released a multitude of open source privacy applications; a number of these applications have received increased attention in the aftermath of the NSA spying revelations. Similar to the D-Central, Commotion allows nearly any Wi-Fi-enabled computer to participate in a decentralized mesh network. It works similar to a typical network design and allows the use of standard encryption methods like SSL and HTTPS.

Occupy Here is an open source program that allows anyone to make a locally hosted website for nearby people to share photos and participate in message board discussion. This program could likely be expanded to offer additional methods of communication. It was originally created during the Occupy Wall Street protests towards the end of 2011 and offers participants a secure and private service for communicating locally.

One of the more widely successful open source privacy applications is Tor. Originally created by the U.S. Naval Research Laboratory for the purpose of protecting government communications, Tor provides a network of virtual tunnels that improves privacy by directing a user’s traffic between several nodes that participate in the network. Web traffic leaves the user’s computer and enters the tor network through an entrance node, then sent through a chain of intermediary nodes located around the world. The traffic finally arrives at an exit node and is transferred to the destination. Each node only knows the location of the specific nodes from which it received traffic and to which it sends traffic, and they have no information of any of the other locations that make up the chain. The only exception to this is the exit node

The NSA has struggled to reveal the identity of Tor users, because node specific encryption between each segment of the network ensures that the identity of the originator can only be determined if every single node in the chain is controlled or directly monitored by the government. Tor has great potential to offer any company privacy solutions to avoid governmental spying and its relative ease of use makes it an attractive solution.

The Open Source Path

Open source solutions offer a level of transparency that is unrivaled by proprietary applications; this transparency is vital to information security because it is the only way users can know how their information is being used with absolute certainty. Snowden has continued to reveal the questionable activities of the US government and their close relationship with technology companies located within the US. These activities have increased the awareness of open source alternatives across the globe and this trend will likely continue as more information is revealed about this spying. It appears that we are currently at a tipping point in the transition from proprietary security solutions to those that are open source; as this awareness increases we will see a multitude of new open source applications being developed.